IsCommandAvailable

Normally, the command list is dynamically built up based on the rights granted by the access template(s) that the delegated admin is a trustee for.

Is there a reason this is not suitable for you?

Note. AR Client layout (MMC, WI, script) is just a presentation of the content (AD) more or less friendly and, strictly speaking, nothing to do with permissions granted.

Real granular access permissions are to be enforced via AR Access Templates (AT).

IsCommandAvailable is used to limit the visibility of items based on other criteria, not permissions. So, for instance, we have an option to 'Suspend' a user which simply updates an attribute. So, we use IsCommandAvailable to hide this option if the attribute has already be set. This all works fine. What we are trying to do now is change the visibility of the menu items based on the administrator currently logged in. Again, this isn't permissions or access template related. IsCommandAvailable lets you easily access the directory object of the item select but we need to access the details of the administrator performing the action.

The $Session object has information regarding the credential used to access the session.

The Active Roles SDK has more information, but it looks like you can access the current session using  $Security.Sessions.Current object which has a UserName property.

That would be PowerShell, IsCommandAvailable is vbscript with a web session.

You can access the object with whichever scripting language you prefer. There are both VBScript and PowerShell samples in the SDK.

Well I tried but the script refused to run:

Set Session = Security.Sessions.Current
' Retrieve AdsPath of the user in which security context
' this session is running
strUserAdsPath = Session.UserPath

I don't think Security is available via VBScript in a web session. I can't find any errors anywhere though.

As an update, it does appear there is a Request object of type RequestFormForScript but I can't seem to pry anything out from it.

Hi Nicholas,

As a workaround to sort of trick this into working, you can do the following:

• Create a new virtual attribute, any type and not stored. You can name this something along the lines of "Command_Availability_CommandName" to keep it simple to remember. (Reconnect the MMC and restart IIS)
• Create an access template to allow modify of this new virtual attribute.
• Assign the access template to the appropriate administrator or group.
• In the web interface on the visibility tab when modifying the command, select the second option, "If the user has sufficient rights and the object selected by the user meets each of the following conditions". Under that section, in the list for "The user is allowed to modify each of these properties of the selected object:", click the Add button and add the new virtual attribute.

So the above with then check if the logged in administrator has access to modify the new virtual attribute, and if they do based on the access template, the command will be displayed.

Keep in mind though, if the other administrators have 'Modify - All Properties' that's propagated to the object, the command will also be displayed. So you may have to deal with this by denying access for everyone else.